fix(deps): update dependency org.apache.avro:avro to v1.11.5 [security]#10232
Conversation
Summary of ChangesHello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request upgrades the Apache Avro Java SDK dependency to a patched version. The primary goal is to resolve a recently disclosed security vulnerability, ensuring the project utilizes a more secure and stable version of the library. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request correctly updates the org.apache.avro:avro dependency to version 1.11.5, addressing the security vulnerability CVE-2025-33042. The change is correct and necessary. While this PR is good to merge, I'd like to point out a potential area for future improvement. The pom.xml file uses shared-configuration version 1.2.0. A general rule for this repository is to keep the shared-configuration parent at the latest version. It would be beneficial to verify if this and other core dependencies like libraries-bom are up-to-date and, if not, update them in a separate PR to maintain project health and security.
This PR contains the following updates:
1.11.4→1.11.5Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-33042
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
Release Notes
apache/avro (org.apache.avro:avro)
v1.11.5Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.